Crime on the internet using malware programs has evolved into a lucrative business that is controlled in part by organized crime. More than about fifty percent of online users are infected with malware programs that target personal information of a user.
Malware programs that threaten communication on the internet employ a variety of methods, for example, phishing, key logging by logging keystrokes of a user and sending them secretly to a hacker, form grabbing by stealing what the user types into a form, session hijacking by replacing a transaction or adding completely new transactions, content injection by faking information displayed to the user by manipulating web pages, etc. These methods pose a threat, for example, by performing unauthorized transactions using stolen user information, by redirecting the user to malicious websites that may masquerade as legitimate websites, manipulating content of web pages in transit to misrepresent the content to the user, etc. When the user employs a browser application on the user's communication device to access a website of a bank or a brokerage, perform a financial transaction, etc., the malware programs exploit weaknesses in the browser architectures to achieve their malafide purposes.
The primary goal of browser applications is to deliver rich platforms for web applications and allow third party vendors to offer value added services, for example, browser add-ons or extensions such as Flash® of Adobe Systems Incorporated, the portable document format (PDF) of Adobe Systems Incorporated, the Google™ toolbar, etc. The existing browser applications are not designed for securing user information or online transactions. There is an unmet need for distinguishing legitimate value added services from malware programs that utilize the browser infrastructure for malicious purposes.
A security mechanism, for example, a secure sockets layer (SSL) is inadequate for securing transactions, since the architectures of browser applications were originally designed to offer a rich and extensible platform to access a variety of web content. While the SSL promises information security, the networking architectures of these browser applications makes it easy to eavesdrop and hijack or modify information before the information is encrypted or after the information is decrypted at the SSL. Existing security solutions, for example, anti-virus, anti-spyware, etc., that employ signature based detection, are not sufficient due to a huge influx of malware programs. The time lag between the detection of new spyware and deployment of a signature is still long enough to cause substantial damage. Heuristic methods employed to detect new threats cause annoyance, false positives, etc., and often require the user to make a right decision.
Proactive transaction security solutions available today try to counter specific malicious techniques, for example, key logging, instead of fundamental threats, for example, stealing of personal information and performing unauthorized transactions, thereby leaving large security holes.
Operating systems that focus on delivering a rich platform for various applications, expose interfaces to monitor or alter system activities such as key logging, screen capture, networking, file access, etc. While the goal of delivering a rich platform for various applications is to enable third party vendors to offer value added services, for example, accessibility, parental control, firewall, anti-malware, etc., hackers utilize the same for malicious purposes.
Unauthorized entities, for example, malware programs can attempt to directly access memory content and manipulate code and data on a user's communication device. The degree of access varies depending on the operating system of the user's communication device. Some web browsers provide access of the currently displayed web page to multiple third party applications, enabling the third party applications to read and/or modify the web page, for accessibility enhancements. However, this allows the malware programs to read and/or manipulate form data such as passwords and/or manipulate flow of form submission, for example, by form grabbing, content injection, etc.
Browser applications employ a networking layer or a network stack provided by the operating system of the user's communication device to communicate with a web server. The operating system of the user's communication device exposes the network stack to multiple third party vendors who may intercept or manipulate the flow of information, for example, by content filtering, firewall applications, etc. An infrastructure, for example, a layered service provider (LSP) of the Winsock 2 service provider interface (SPI) and a name service provider (NSP) provided by Windows® of Microsoft Corporation allows the third party vendors to replace or layer their code above or below the network stack of the operating system to inspect or modify the communication flow. This feature is exploited by malware programs, for example, to steal information and hijack the transaction at the networking level.
The browser applications also utilize a communication layer on top of the network stack of the operating system to extend supported protocols, for example, “res: file:” used to support loading of content from a local system “JavaScript:” to execute JavaScript, etc. The browser applications also expose the communication layer to third party vendors to provide value added services, for example, content filtering, custom protocols, etc.
In an operating system, for example, Windows® of Microsoft Corporation, a component object model (COM) is used to expose services to third party applications. In an example, JavaScript engines and visual basic script (VBScript) engines are implemented as COM objects. The JavaScript engines and the VBScript engines are vulnerable and allow redirection of the COM objects to a different implementation.
The standard protocols for online transactions are, for example, a hypertext transfer protocol (http) or a hypertext transfer protocol secure (https) protocol. Sensitive information and transactions are exchanged, for example, over the http/https protocols. The http/https protocols provide, for example, content integrity, secrecy, and website identity. There is no need for unauthorized entities, for example, malware programs, to intercept encrypted data, when the encrypted data leaves the application. Malware programs attempt to intercept the data flow before encryption and/or after decryption either by manipulating the network stack of the operating system of the user's communication device or the communication layer of the browser application.
The http protocol provides a feature where websites can store state information, for example, a user's login credentials, session information, etc., in the form of browser cookies or web cookies, on the user's communication device. For example, transaction websites after authenticating the user, store identification data in the form of browser cookies or web cookies to avoid asking the user to login for every request during that session. A networking component of a browser application manages the cookie information and automatically sends the cookie information back to the web site in subsequent requests. After a successful login on a website, the website uses the cookie information to identify the user during subsequent online transactions in order to avoid requesting for the user's login credentials for every click on the website. The malware programs that monitor the communication flow steal the cookie information and conduct unauthorized transactions unbeknown to the user. The websites carry out the requests as the websites are unable to differentiate legitimate requests from the malware programs. Furthermore, the networking component, being caller agnostic, automatically sends the cookie information with every request to respective transaction websites, thereby allowing unauthorized entities such as malware programs running inside the browser application to conduct unauthorized transactions after the user is logged in to the transaction website. The malware programs running inside the browser application simply invoke the networking component to conduct unauthorized transactions once the user logs on to the transaction website.
The https/SSL protocol, employed by transaction websites, uses digital certificates to establish identity of the transaction websites. Browser applications maintain a list of trusted root certificates. For example, certificate authorities issue a secure sockets layer (SSL) certificate from a root certificate and verify a presented SSL certificate of a website by comparing the website name, time stamping, etc., and by ensuring the certificate chain ends up at one of the root certificate stores that the browser applications maintain. For example, typical web browsers maintain lists of trusted root certificates to verify a certificate of a transaction website and identify the transaction website to the user. Moreover, typical operating systems provide application programming interfaces (API) to add or manipulate trusted root certificates in the root certificate stores. Malicious programs can insert their own root certificate to the root certificate store of the browser. Malicious websites purporting to be a legitimate transaction website or unauthorized entities intercepting the data flow between a user's communication device and the transaction website can present a fake certificate which can be identified as trusted by the web browsers because of the manipulation of their root certificate stores.
An internet naming system uses domain name addresses for remembering the addresses of websites. The networking layer or the network stack of the operating system of the user's communication device translates the domain name address into an internet protocol (IP) address, for example, 192.0.43.10. The process of translating the domain name address into the IP address is called domain name resolution. Servers that maintain the mapping and the resolution are called domain name system (DNS) servers. Operating systems typically maintain a local host file that contains a domain name address to IP address mapping to point a domain name to a specific server if needed, and to cache the name resolutions in a domain name system (DNS) resolver cache to speed up subsequent requests. The malware programs intercept the name resolution process and direct the user to malicious websites. The malware programs installed on the user's communication device can modify the local host file, intercept the name resolution request of the website, or manipulate the local domain name system (DNS) resolver cache. The malware programs apply this method to block security measures, for example, blocking a signature file update and thus evade detection. There are also methods that work outside of the user's communication device such as hijacking of domain name system (DNS) servers also referred to as domain name system (DNS) poisoning.
Key logging is one of the commonly used techniques to steal user credentials and sensitive personal information entered on a web page by a user. For example, typical operating systems provide methods to intercept or record keystrokes. Keystrokes emerging from a computer keyboard pass several layers of the operating system and application code before the keystrokes are displayed on a display screen to the user. The malware programs present anywhere in the path of the keystrokes being passed to the operating system of the communication device can intercept the keystrokes at any one of the layers and capture data of the keystrokes. The malware programs may utilize the data to carry out malicious activities. The malware programs may transmit the data to a hacker.
Many websites employ virtual keyboards to prevent the malware programs from capturing the data from the keystrokes. However, the malware programs utilize screen capturing to evade virtual keyboards. Virtual keyboards used by banking websites do not offer much protection as several other techniques are available at the disposal of cyber criminals to steal information or conduct unauthorized transactions. Furthermore, an application, for example, Windows® of Microsoft Corporation, automatically copies window content or desktop content to a clipboard when a print screen key is pressed. The content from the clipboard can easily be accessed as an image or saved to a file. The malware programs can simulate this print screen keystroke to capture the content of a website with the virtual keyboard. Malware programs can take a screenshot as soon as the user selects a key on the virtual keyboard and record the position of a mouse pointer to figure out which key was pressed.
Hence, there is a long felt but unresolved need for a computer implemented method and system that provides a rich platform for websites and allows third party vendors to offer value added services, while distinguishing legitimate value added services from malware programs, protecting memory content, and hence preventing manipulation of code and data. Moreover, there is a need for a computer implemented method and system that prevents access of a displayed web page to multiple third party applications and prevents interception or manipulation of the flow of information by unauthorized entities, for example, malware programs. Furthermore, there is a need for a computer implemented method and system that prevents interception of data flow before encryption and/or after decryption, prevents the malware programs from monitoring communication flow to prohibit stealing of cookie information and conducting of unauthorized transactions unbeknown to the user by the malware programs, prevents tampering of trusted root certificate stores, and blocks third party interception and manipulation of a default configured domain name system. Furthermore, there is a need for a computer implemented method and system that ensures loading of authenticated original component services exposed by component object model (COM) objects and also secures transfer of input information acquired from a user via an input device.